private static AuthHandle EstablishOIAP(TPMWrapper tpm) { ILog log = LogManager.GetLogger("EstablishOIAP"); for (int i = 0; i < 2; i++) { TPMCommandRequest request = new TPMCommandRequest(TPMCommandNames.TPM_CMD_OIAP, new Parameters()); TPMCommandResponse response = tpm.Process(request); AuthHandle myAuthHandle = response.Parameters.GetValueOf <AuthHandle> ("auth_handle"); // Parameters parameters = new Parameters (); // parameters.AddValue ("handle", myAuthHandle); // TPMCommandRequest requestFlush = new TPMCommandRequest (TPMCommandNames.TPM_CMD_FLUSH_SPECIFIC, parameters); // tpm.Process (requestFlush); //return myAuthHandle; } Parameters listHandlesParameters = new Parameters(); listHandlesParameters.AddPrimitiveType("capArea", CapabilityData.TPMCapabilityArea.TPM_CAP_HANDLE); listHandlesParameters.AddPrimitiveType("handle_type", TPMResourceType.TPM_RT_AUTH); TPMCommandRequest listHandlesRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_GetCapability, listHandlesParameters); TPMCommandResponse listHandlesResponse = tpm.Process(listHandlesRequest); HandleList loadedKeyHandles = listHandlesResponse.Parameters.GetValueOf <HandleList> ("handles"); return(null); }
public void LoadAuthHandle(AuthHandle authHandle) { using (new LockContext(_authHandles, "AuthHandleManager::LoadAuthHandle")) { List <AuthHandleItem> myAuthHandles = _authHandles.FindAuthHandles(AuthHandleItem.AuthHandleStatus.SwappedOut); _logger.DebugFormat("LoadAuthHandle: #{0}", myAuthHandles.Count); foreach (AuthHandleItem handleItem in myAuthHandles) { _logger.DebugFormat("LoadAuthHandles: Found auth handle {0} with status {1}", handleItem.AuthHandle, handleItem.Status); if (handleItem.AuthHandle == authHandle && handleItem.Status != AuthHandleItem.AuthHandleStatus.SwappedIn) { //If we have an OSAP auth handle, make sure that the corresponding resource is loaded AuthSessionNum authSession = handleItem.AssociatedCommand.Value.Key; IAuthorizableCommand cmd = handleItem.AssociatedCommand.Value.Value; KeyHandle newKeyHandle; if (cmd.GetEntityType(authSession) == TPMEntityTypeLSB.TPM_ET_KEYHANDLE && cmd.GetHandle(authSession) != KeyHandle.KEY_SRK) { cmd.KeyManager.LoadKey(cmd.GetHandle(authSession)); newKeyHandle = cmd.KeyManager.IdentifierToHandle(cmd.GetHandle(authSession)); if (handleItem.AuthHandle.EntityValue != newKeyHandle.Handle) { throw new ArgumentException(string.Format("OSAP with entity type={0}, entity value={1} could not be restored", handleItem.AuthHandle.EntityType, handleItem.AuthHandle.EntityValue)); } } SwapIn(handleItem); _logger.DebugFormat("LoadAuthHandles: Swapped in {0}", handleItem.AuthHandle); } } } }
private AuthHandleItem FindAuthHandleItem(AuthHandle authHandle) { foreach (AuthHandleItem item in _authHandles) { if (item.AuthHandle == authHandle) { return(item); } } return(null); }
protected override TPMCommandResponse InternalProcess() { // Unencrypted authorization values, they need to be XOR-Encrypted with // XOR(auth, SHA-1(OSAP shared secret | session nonce)) // // OSAP_shared_secret = HMAC(key=usage secret of key handle, nonce even osap | nonce odd osap) AuthHandle auth1OSAP = _commandAuthHelper.AssureOSAPSharedSecret(this, AuthSessionNum.Auth1); _encAuth = _params.GetValueOf <byte[]> ("data_auth"); byte[] xorKey = new HashProvider().Hash( new HashByteDataProvider(auth1OSAP.SharedSecret), new HashByteDataProvider(auth1OSAP.NonceEven)); ByteHelper.XORBytes(_encAuth, xorKey); //Load parent key if not loaded _keyManager.LoadKey(_params.GetValueOf <string>("key")); TPMBlob requestBlob = new TPMBlob(); requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_Seal); //key handle gets inserted later, it may be not available now requestBlob.WriteUInt32(0); requestBlob.Write(_encAuth, 0, 20); TPMBlobWriteableHelper.WriteITPMBlobWritableWithUIntSize(requestBlob, _pcrInfo); requestBlob.WriteUInt32((uint)_inData.Length); requestBlob.Write(_inData, 0, _inData.Length); AuthorizeMe(requestBlob); using (_keyManager.AcquireLock()) { requestBlob.SkipHeader(); requestBlob.WriteUInt32(_keyManager.IdentifierToHandle(_params.GetValueOf <string>("key")).Handle); _responseBlob = TransmitMe(requestBlob); } CheckResponseAuthInfo(); _responseBlob.SkipHeader(); TPMStoredDataCore sealedData = TPMStoredDataCore.CreateFromTPMBlob(_responseBlob); Parameters responseParams = new Parameters(); responseParams.AddPrimitiveType("data", ByteHelper.SerializeToBytes(sealedData)); return(new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_Seal, responseParams)); }
public void RemoveAuthHandles(IAuthorizableCommand cmd, AuthHandle authHandle) { using (new LockContext(_authHandles, "AuthHandleManager::RemoveAuthHandles2")) { AuthHandleItem item = FindAuthHandleItem(authHandle); if (item == null) { return; } if (item.AssociatedCommand != null && item.AssociatedCommand.Value.Value == cmd) { InternalRemoveAuthHandle(item); } else { return; } } }
protected override TPMCommandResponse InternalProcess() { AuthHandle auth1OSAP = _commandAuthHelper.AssureOSAPSharedSecret(this, AuthSessionNum.Auth1); byte[] xorKey = new HashProvider().Hash( new HashByteDataProvider(auth1OSAP.SharedSecret), new HashByteDataProvider(auth1OSAP.NonceEven)); ByteHelper.XORBytes(_secret, xorKey); if (_secret.Length != 20) { throw new ArgumentException("secret needs to be 20 bytes long (SHA1 hash)"); } if (_label.Length != 4) { throw new ArgumentException("Label needs to be 4 bytes long"); } using (TPMBlob requestBlob = new TPMBlob()) { requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_CreateCounter); requestBlob.Write(_secret, 0, 20); requestBlob.Write(_label, 0, 4); _responseBlob = AuthorizeMeAndTransmit(requestBlob); } _responseBlob.SkipHeader(); _responseParameters = new Parameters(); _responseParameters.AddPrimitiveType("counter_id", _responseBlob.ReadUInt32()); _responseParameters.AddValue("counter_value", TPMCounterValueCore.CreateFromTPMBlob(_responseBlob)); return(new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_CreateCounter, _responseParameters)); }
public void RemoveAuthorizationHandle(IAuthorizableCommand cmd, AuthHandle handle) { _tpmContext.AuthHandleManager.RemoveAuthHandles(cmd, handle); }
public void DestroyAuthorizationHandle(IAuthorizableCommand cmd, AuthHandle handle) { _tpmContext.AuthHandleManager.DestroyAuthHandles(cmd, handle); }
protected override TPMCommandResponse InternalProcess() { // Unencrypted authorization values, they need to be XOR-Encrypted with // XOR(auth, SHA-1(OSAP shared secret | session nonce)) // // OSAP_shared_secret = HMAC(key=usage secret of key handle, nonce even osap | nonce odd osap) AuthHandle auth1OSAP = _commandAuthHelper.AssureOSAPSharedSecret(this, AuthSessionNum.Auth1); _usageAuth = _params.GetValueOf <byte[]> ("usage_auth"); _migrationAuth = _params.GetValueOf <byte[]> ("migration_auth"); byte[] xorKey = new HashProvider().Hash( new HashByteDataProvider(auth1OSAP.SharedSecret), new HashByteDataProvider(auth1OSAP.NonceEven)); ByteHelper.XORBytes(_usageAuth, xorKey); ByteHelper.XORBytes(_migrationAuth, xorKey); //Load parent key if not loaded _keyManager.LoadKey(_params.GetValueOf <string>("parent")); TPMBlob requestBlob = new TPMBlob(); requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_CreateWrapKey); //parent key handle gets inserted later, it may be not available now requestBlob.WriteUInt32(0); requestBlob.Write(_usageAuth, 0, 20); requestBlob.Write(_migrationAuth, 0, 20); _tpmKey.WriteToTpmBlob(requestBlob); using (_keyManager.AcquireLock()) { AuthorizeMe(requestBlob); requestBlob.SkipHeader(); if (_params.GetValueOf <string>("parent") == KeyHandle.KEY_SRK) { requestBlob.WriteUInt32((uint)TPMKeyHandles.TPM_KH_SRK); } else { requestBlob.WriteUInt32(_keyManager.IdentifierToHandle(_params.GetValueOf <string>("parent")).Handle); } _responseBlob = TransmitMe(requestBlob); } CheckResponseAuthInfo(); _responseBlob.SkipHeader(); TPMKeyCore newKey = new TPMKeyCore(_responseBlob); _responseParameters = new Parameters(); //Build and save the key identifier //The key identifier is the hex-string representation of the hash of the newly created key _responseParameters.AddPrimitiveType("key_identifier", ByteHelper.ByteArrayToHexString( new HashProvider().Hash( new HashByteDataProvider( ByteHelper.SerializeToBytes(newKey) ) ), "")); _responseParameters.AddPrimitiveType("key_data", ByteHelper.SerializeToBytes(newKey)); return(new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_CreateWrapKey, _responseParameters)); }
public AuthHandleItem(AuthHandle authHandle, AuthHandleStatus status) { _authHandle = authHandle; _status = status; }
private AuthHandleItem CreateAuthHandle(IAuthorizableCommand cmd, AuthSessionNum authSession) { if (cmd.SupportsAuthType(AuthHandle.AuthType.OIAP)) { TPMCommandRequest oiapRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_OIAP, new Parameters()); TPMCommandResponse oiapResponse = _tpmContext.TPM.Process(oiapRequest, cmd.CommandAuthHelper, cmd.KeyManager); if (oiapResponse.Status == false) { throw new TPMRequestException("Unknown error while creating oiap auth handle"); } AuthHandle newAuthHandle = oiapResponse.Parameters.GetValueOf <AuthHandle>("auth_handle"); AuthHandleItem authHandleItem = new AuthHandleItem(newAuthHandle, AuthHandleItem.AuthHandleStatus.SwappedIn); authHandleItem.AssociatedCommand = new KeyValuePair <AuthSessionNum, IAuthorizableCommand>(authSession, cmd); using (new LockContext(_authHandles, "CreateAuthHandle OIAP")) { _authHandles.AddAuthHandle(authHandleItem); AddNewItem(authHandleItem); } return(authHandleItem); } else if (cmd.SupportsAuthType(AuthHandle.AuthType.OSAP)) { Parameters parameters = new Parameters(); parameters.AddPrimitiveType("entity_msb", TPMEntityTypeMSB.TPM_ET_XOR); parameters.AddPrimitiveType("entity_lsb", cmd.GetEntityType(authSession)); string identifier = cmd.GetHandle(authSession); if (identifier == null) { throw new TPMRequestException("Missing entity value for OSAP session"); } parameters.AddPrimitiveType("entity_value", identifier); TPMCommandRequest osapRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_OSAP, parameters); TPMCommandResponse osapResponse = _tpmContext.TPM.Process(osapRequest, cmd.CommandAuthHelper, cmd.KeyManager); if (osapResponse.Status == false) { throw new TPMRequestException("Unknown error while creating osap auth handle"); } AuthHandle newAuthHandle = osapResponse.Parameters.GetValueOf <AuthHandle>("auth_handle"); AuthHandleItem authHandleItem = new AuthHandleItem(newAuthHandle, AuthHandleItem.AuthHandleStatus.SwappedIn); authHandleItem.AssociatedCommand = new KeyValuePair <AuthSessionNum, IAuthorizableCommand>(authSession, cmd); using (new LockContext(_authHandles, "CreateAuthHandle OSAP")) { _authHandles.AddAuthHandle(authHandleItem); AddNewItem(authHandleItem); } return(authHandleItem); } else { throw new NotSupportedException("Command does not support a suitable AuthType"); } }
public override TPMCommandResponse Process() { TPMEntityTypeLSB entityLSB = _params.GetValueOf <TPMEntityTypeLSB>("entity_lsb"); TPMEntityTypeMSB entityMSB = _params.GetValueOf <TPMEntityTypeMSB>("entity_msb"); string identifier = _params.GetValueOf <string>("entity_value"); if (entityLSB != TPMEntityTypeLSB.TPM_ET_KEYHANDLE && entityLSB != TPMEntityTypeLSB.TPM_ET_SRK && entityLSB != TPMEntityTypeLSB.TPM_ET_OWNER) { throw new ArgumentException("TPM_OSAP does currently not support entityType: " + entityLSB.ToString()); } if (entityMSB != TPMEntityTypeMSB.TPM_ET_XOR) { throw new ArgumentException(string.Format("TPM_OSAP does currently not support '{0}' EncAuth encryption", entityMSB)); } if (entityLSB == TPMEntityTypeLSB.TPM_ET_KEYHANDLE || entityLSB == TPMEntityTypeLSB.TPM_ET_SRK) { //We now know that the current identifier is a key identifier (maybe srk, but then the value is ignored by TPM_OSAP). //So we invoke the key manager to load the key with the specified identifier and establish an OSAP session _keyManager.LoadKey(identifier); } //handle is not known yet AuthHandle authHandle = new AuthHandle(AuthHandle.AuthType.OSAP, 0); authHandle.EntityType = entityLSB; authHandle.NewNonceOddOSAP(); using (_keyManager.AcquireLock()) { TPMBlob requestBlob = new TPMBlob(); requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_COMMAND, TPMOrdinals.TPM_ORD_OSAP); requestBlob.WriteUInt16((ushort)(((ushort)entityMSB << 8) | (ushort)entityLSB)); if (entityLSB == TPMEntityTypeLSB.TPM_ET_KEYHANDLE || entityLSB == TPMEntityTypeLSB.TPM_ET_SRK) { if (identifier == KeyHandle.KEY_SRK) { requestBlob.WriteUInt32((uint)TPMKeyHandles.TPM_KH_SRK); authHandle.EntityValue = (uint)TPMKeyHandles.TPM_KH_SRK; } else { KeyHandle keyHandle = _keyManager.IdentifierToHandle(identifier); requestBlob.WriteUInt32(keyHandle.Handle); authHandle.EntityValue = keyHandle.Handle; } } else if (entityLSB == TPMEntityTypeLSB.TPM_ET_OWNER) { requestBlob.WriteUInt32((uint)TPMKeyHandles.TPM_KH_OWNER); authHandle.EntityValue = (uint)TPMKeyHandles.TPM_KH_OWNER; } requestBlob.Write(authHandle.NonceOddOSAP, 0, authHandle.NonceOddOSAP.Length); requestBlob.WriteCmdSize(); _commandAuthHelper.EnsureFreeSlot(); _responseBlob = TransmitMe(requestBlob); } _responseBlob.SkipHeader(); AuthHandleCore receivedAuthHandle = new AuthHandleCore(AuthHandle.AuthType.OSAP, _responseBlob); authHandle.UpdateFromOtherAuthHandle(receivedAuthHandle); _responseParameters = new Parameters(); _responseParameters.AddValue("auth_handle", authHandle); return(new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_OSAP, _responseParameters)); }